Tor Browser 6.5 is now available from the Tor Browser Project page [1]
and also from our distribution directory [2].
1: https://www.torproject.org/download/download-easy.html
2: https://www.torproject.org/dist/torbrowser/6.5/
This release features important security updates [3] to Firefox.
3: https://www.mozilla.org/en-US/security/advisories/mfsa2017-02/
This is a major release and the first one in the 6.5 series. First of
all it fixes the usual critical bugs in Firefox by updating to ESR
45.7.0. It contains version updates to other bundle components as well:
Tor to 0.2.9.9, OpenSSL to 1.0.2j, HTTPS-Everywhere to 5.2.9, and
NoScript to 2.9.5.3.
Besides those updates Tor Browser 6.5 ships with a lot of the
improvements we have been working on in the past couple of months.
On the security side we always block remote JAR files [4] now and
remove the support for SHA-1 HPKP pins [5]. Additionally we backported
from an other firefox branch patches to mark JIT pages as non-writable
and other crash fixes that could disrupt a Tor Browser session quite
reliably.
4: https://trac.torproject.org/projects/tor/ticket/20123
5: https://trac.torproject.org/projects/tor/ticket/19164
With respect to user tracking and fingerprinting we now isolate
SharedWorker script requests to the first party domain. We improved our
timer resolution spoofing and reduced the timing precision for
AudioContext, HTMLMediaElement, and Mediastream elements. We stopped
user fingerprinting via internal resource:// URLs, and for Windows
users we fixed a regression introduced in Tor Browser 6.0 which could
leak the local timezone if JavaScript were enabled.
A great deal of our time was spent on improving the usability of
Tor Browser. We redesigned the security slider and improved its labels.
We moved a lot of Torbutton's privacy settings directly into the
respective Firefox menu making it cleaner and more straightforward to
use. Finally, we moved as many Torbutton features as possible into
Firefox to make it easier for upstreaming them. This allowed us to
resolve a couple of window resizing bugs that piled on over the course
of the past years.
The features mentioned above are only some of the highlights in
Tor Browser 6.5. The full changelog since 6.0.8 is:
* All Platforms
* Update Firefox to 45.7.0esr
* Tor to 0.2.9.9
* OpenSSL to 1.0.2j
* Update Torbutton to 1.9.6.12
* Bug 16622: Timezone spoofing moved to tor-browser.git
* Bug 17334: Move referrer spoofing for .onion domains into tor-browser.git
* Bug 8725: Block addon resource and url fingerprinting with nsIContentPolicy
* Bug 20701: Allow the directory listing stylesheet in the content policy
* Bug 19837: Whitelist internal URLs that Firefox requires for media
* Bug 19206: Avoid SOCKS auth and NEWNYM collisions when sharing a tor client
* Bug 19273: Improve external app launch handling and associated warnings
* Bug 15852: Remove/synchronize Torbutton SOCKS pref logic
* Bug 19733: GETINFO response parser doesn't handle AF_UNIX entries + IPv6
* Bug 17767: Make "JavaScript disabled" more visible in Security Slider
* Bug 20556: Use pt-BR strings from now on
* Bug 20614: Add links to Tor Browser User Manual
* Bug 20414: Fix non-rendering arrow on OS X
* Bug 20728: Fix bad preferences.xul dimensions
* Bug 19898: Use DuckDuckGo on about:tor
* Bug 21091: Hide the update check menu entry when running under the sandbox
* Bug 19459: Move resizing code to tor-browser.git
* Bug 20264: Change security slider to 3 options
* Bug 20347: Enhance security slider's custom mode
* Bug 20123: Disable remote jar on all security levels
* Bug 20244: Move privacy checkboxes to about:preferences#privacy
* Bug 17546: Add tooltips to explain our privacy checkboxes
* Bug 17904: Allow security settings dialog to resize
* Bug 18093: Remove 'Restore Defaults' button
* Bug 20373: Prevent redundant dialogs opening
* Bug 20318: Remove helpdesk link from about:tor
* Bug 21243: Add links for pt, es, and fr Tor Browser manuals
* Bug 20753: Remove obsolete StartPage locale strings
* Bug 21131: Remove 2016 donation banner
* Bug 18980: Remove obsolete toolbar button code
* Bug 18238: Remove unused Torbutton code and strings
* Bug 20388+20399+20394: Code clean-up
* Translation updates
* Update Tor Launcher to 0.2.10.3
* Bug 19568: Set CurProcD for Thunderbird/Instantbird
* Bug 19432: Remove special handling for Instantbird/Thunderbird
* Translation updates
* Update HTTPS-Everywhere to 5.2.9
* Update NoScript to 2.9.5.3
* Bug 16622: Spoof timezone with Firefox patch
* Bug 17334: Spoof referrer when leaving a .onion domain
* Bug 19273: Write C++ patch for external app launch handling
* Bug 19459: Size new windows to 1000x1000 or nearest 200x100 (Firefox patch)
* Bug 12523: Mark JIT pages as non-writable
* Bug 20123: Always block remote jar files
* Bug 19193: Reduce timing precision for AudioContext, HTMLMediaElement, and MediaStream
* Bug 19164: Remove support for SHA-1 HPKP pins
* Bug 19186: KeyboardEvents are only rounding to 100ms
* Bug 16998: Isolate preconnect requests to URL bar domain
* Bug 19478: Prevent millisecond resolution leaks in File API
* Bug 20471: Allow javascript: links from HTTPS first party pages
* Bug 20244: Move privacy checkboxes to about:preferences#privacy
* Bug 20707: Fix broken preferences tab in non-en-US alpha bundles
* Bug 20709: Fix wrong update URL in alpha bundles
* Bug 19481: Point the update URL to aus1.torproject.org
* Bug 20556: Start using pt-BR instead of pt-PT for Portuguese
* Bug 20442: Backport fix for local path disclosure after drag and drop
* Bug 20160: Backport fix for broken MP3-playback
* Bug 20043: Isolate SharedWorker script requests to first party
* Bug 18923: Add script to run all Tor Browser regression tests
* Bug 20651: DuckDuckGo does not work with JavaScript disabled
* Bug 19336+19835: Enhance about:tbupdate page
* Bug 20399+15852: Code clean-up
* Windows
* Bug 20981: On Windows, check TZ for timezone first
* Bug 18175: Maximizing window and restarting leads to non-rounded window size
* Bug 13437: Rounded inner window accidentally grows to non-rounded size
* OS X
* Bug 20590: Badly resized window due to security slider notification bar on OS X
* Bug 20439: Make the build PIE on OSX
* Linux
* Bug 20691: Updater breaks if unix domain sockets are used
* Bug 15953: Weird resizing dance on Tor Browser startup
* Build system
* All platforms
* Bug 20927: Upgrade Go to 1.7.4
* Bug 20583: Make the downloads.json file reproducible
* Bug 20133: Don't apply OpenSSL patch anymore
* Bug 19528: Set MOZ_BUILD_DATE based on Firefox version
* Bug 18291: Remove some uses of libfaketime
* Bug 18845: Make zip and tar helpers generate reproducible archives
* OS X
* Bug 20258: Make OS X Tor archive reproducible again
* Bug 20184: Make OS X builds reproducible (use clang for compiling tor)
* Bug 19856: Make OS X builds reproducible (getting libfaketime back)
* Bug 19410: Fix incremental updates by taking signatures into account
* Bug 20210: In dmg2mar, extract old mar file to copy permissions to the new one
(If you are about to reply saying "please take me off
this list", instead please follow these instructions:
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-announce/
You will have to enter the actual email address you used to subscribe.)
Tor 0.2.9.9 fixes a denial-of-service bug where an attacker could
cause relays and clients to crash, even if they were not built with
the --enable-expensive-hardening option. This bug affects all 0.2.9.x
versions, and also affects 0.3.0.1-alpha: all relays running an affected
version should upgrade.
This release also resolves a client-side onion service reachability bug,
and resolves a pair of small portability issues.
You can download the source code from https://dist.torproject.org/
but most users should wait for the upcoming Tor Browser release, or
for their upcoming system package updates.
Changes in version 0.2.9.9 - 2017-01-23
o Major bugfixes (security):
- Downgrade the "-ftrapv" option from "always on" to "only on when
--enable-expensive-hardening is provided." This hardening option,
like others, can turn survivable bugs into crashes -- and having
it on by default made a (relatively harmless) integer overflow bug
into a denial-of-service bug. Fixes bug 21278 (TROVE-2017-001);
bugfix on 0.2.9.1-alpha.
o Major bugfixes (client, onion service):
- Fix a client-side onion service reachability bug, where multiple
socks requests to an onion service (or a single slow request)
could cause us to mistakenly mark some of the service's
introduction points as failed, and we cache that failure so
eventually we run out and can't reach the service. Also resolves a
mysterious "Remote server sent bogus reason code 65021" log
warning. The bug was introduced in ticket 17218, where we tried to
remember the circuit end reason as a uint16_t, which mangled
negative values. Partially fixes bug 21056 and fixes bug 20307;
bugfix on 0.2.8.1-alpha.
o Minor features (geoip):
- Update geoip and geoip6 to the January 4 2017 Maxmind GeoLite2
Country database.
o Minor bugfixes (portability):
- Avoid crashing when Tor is built using headers that contain
CLOCK_MONOTONIC_COARSE, but then tries to run on an older kernel
without CLOCK_MONOTONIC_COARSE. Fixes bug 21035; bugfix
on 0.2.9.1-alpha.
- Fix Libevent detection on platforms without Libevent 1 headers
installed. Fixes bug 21051; bugfix on 0.2.9.1-alpha.
